The Health Insurance Portability and Accountability Act of 1996 HIPAA and OGI

1
The Health Insurance Portability and
Accountability Act of 1996 HIPAA and OGI

• What you need to know

2
What is this?

• This presentation provides information about the
  Health Insurance Portability and Accountability
  Act of 1996 (HIPAA). This law sets federal
  standards for how OHSU must protect the privacy
  of health information. We are required by law to
  train everyone at OHSU on the HIPAA standards,
  including all faculty, students, staff, and
  volunteers. This includes all OGI personnel.

3
IMPORTANT
In order to receive credit for completing this
material, you must register at the end of the
course. You are responsible for reviewing all of
the material in this presentation. Completion of
this material is federally required.
4
Q A
Q What if I have no connection whatsoever with
OHSU patients, health information, or information
systems? A You still must review this
information. It is designed to provide general
guidelines regardless of whether you are involved
in patient care or handle health information.
OGI and OHSUs information systems are already
connected. As time goes by, they will become
increasingly interconnected. As this happens, it
is essential that everyone is clear about the
HIPAA standards.
5
Why is this material important?
One reason is because protecting patient privacy
is the right thing to do. Even though you may not
have direct access to patient information, you
may still encounter it, whether in a computer
application, a data printout, or a record left in
the wrong place. The HIPAA standards apply to
even incidental contact with health information.
Another reason this material is important is
because federal penalties for violating HIPAA
standards include up to 250,000 in fines and 10
years in prison.
6
What information is protected under HIPAA?

• Protected Health Information, or PHI. PHI is
  information
• about the physical or mental health of a person
  that
• either identifies or could be used to identify a
  specific individual and that
• includes any of the following identifiers

7
PHI Elements

• Name
• Address
• Names of relatives
• Names of employers
• E-mail address
• Fax number
• Telephone number
• Birth date
• Finger or voice prints
• Photographic images
• Any other unique identifying number,
  characteristic, or code

• Social security number
• Internet protocol (IP) address
• Any vehicle or device serial number
• Web URL
• Medical record number
• Health plan beneficiary number
• Account number
• Certificate/license number

8
Where is PHI at OGI? There are no patients here.
PHI is most likely to be in electronic data and
information systems. Some areas at OGI are
connected to OHSUs computer network, which is
extremely rich in PHI. Also, some OGI personnel
are currently involved in research that may
include PHI. The HIPAA standards apply to PHI in
any format, whether paper, electronic, or oral.
9
What does this have to do with me?
Suppose that a physician at OHSU School of
Medicine contacts you about running statistical
analyses on research data she has collected. You
agree to do so, and she delivers a CD containing
her data. PHI is now in your possession, and you
are responsible for protecting it according to
the HIPAA privacy standards.
10
What does this have to do with me?
Suppose you are on a workstation that is
connected to OHSUs network. Suppose you are
logged on but walk away and leave that computer
unattended. Someone comes along and uses that
open connection to access OHSUs system and
download patient information. You have just
breached patient privacy and violated the HIPAA
standards.
11
What does this have to do with me?
Suppose you work for a researcher who is doing
bioengineering research. You take a printout of
study data to lunch to review it, but forget it
on the table. Someone comes along and looks at
it, and sees that someone they know is a subject
in the study. You have just breached patient
privacy and violated the HIPAA standards.
12
You keep mentioning HIPAA standards. What are
these?

• There are three that will be described here. They
  are
• Minimum Necessary
• Security Standards
• Physical Safeguards

13
HIPAA Standard Minimum Necessary

• One of the most important HIPAA standards is
  called the Minimum Necessary Standard. It states
  that you should only access health information as
  necessary and appropriate to fulfill your role as
  a student or employee. This means
• If you do not need health information to do your
  job, do not access or discuss it.
• Even if you do need patient information to do
  your job, ensure that this information stays
  private.

14
HIPAA Standard Security

• There are also security standards that apply to
  health information that is stored electronically.
  These include
• Using strong computer passwords. Strong passwords
  combine letters and numbers
• Password-protecting databases that contain health
  information, and limiting access to these
  databases
• Never sharing password or login information
• Ensuring that logged on computers are not left
  unattended
• Logging off workstations when you are finished

15
HIPAA Standard Physical Safeguards

• HIPAA also describes certain physical safeguards
  that we must take to protect health information.
  These include
• Restricting access to sensitive areas
• Locking filing cabinets or areas that contain
  protected health information
• Physically securing health records

16
Is all this necessary? Are people really
interested in stealing health information?
Health records contain more than just lab results
and medical histories. They also may contain
social security numbers, account numbers, and
financial information. The rising prevalence of
identity theft indicates that people are very
interested in stealing this information. We are
all responsible for keeping information entrusted
to OHSU safe and private.
17
HIPAA and OGI The Facts
Everyone at OHSU, including all faculty, staff,
and students at OGI, are accountable for knowing
and following the HIPAA privacy standards OHSUs
and OGIs information systems are
interconnected If you have computer access, you
could breach patient privacy, even
unintentionally. Privacy breaches are subject
to disciplinary action, as well as federal fines
and penalties
18
HIPAA What you can do
Understand and follow the HIPAA privacy
standards Take responsibility for making sure
that health information is secure, no matter
where you may find it If you have a privacy
concern or question, take action
19
For more information
For privacy concerns, questions, or more
information, contact OHSUs Office of Information
Privacy and Security. Email hipaaed_at_ohsu.edu Web
www.ohsu.edu/cc/hipaa Phone 503-494-8849
20
OHSU Code of Conduct

• Our Code of Conduct guides the behavior and
  performance of members of the Oregon Health
  Science University community. As members of that
  community, OGI students, faculty, and staff must
  comply with the Code of Conduct and all other
  OHSU policies. As with other OHSU policies, those
  who violate the Code of Conduct are subject to
  disciplinary action.
• An electronic version is available at
  http//www.ohsu.edu/cc/codeofco.pdf
• Hard copies can be picked up at the OGI
  Department of Graduate Education, Paul Clayton
  Building, phone 503-748-1382, e-mail
  grad_ed_at_admin.ogi.edu
• A Higher Standard OHSU Respect at the University
• OHSU encourages and respects diversity within the
  university. OHSU does not allow discrimination
  on the basis of race, color, gender, sexual
  orientation, religion, creed, national origin,
  physical or mental disability, marital status,
  age, or veterans status in any activity or
  operation of the institution.
• OHSU is committed to policies of affirmative
  action and equal opportunity
• OHSU values an environment that is free from
  harassment, discrimination and violence.
• If you observe or encounter discriminatory
  behaviors, harassment, or violence, you have a
  duty to report it to the Affirmative Action
  Equal Opportunity department at 503 494-5148 or
  aaeo_at_ohsu.edu.
• Questions? If you have questions about the OHSU
  Code of Conduct, please contact the OHSU
  Integrity Office at 503 494-8849.
• Thank you for helping us all make OHSU a great
  place to work!

21
IMPORTANT Register Your Completion of This Course
In order to receive credit for completing this
course, you MUST go to https//www.ohsu.edu/ogihi
paa and fill out a registration form. Please
click on the above link to register now.